Wed, 25 May 2005 23:03:13 +0100
|
On Wed, 25 May 2005 17:45 , Alexander Willman <[log in to unmask]> said:
> Is there a vulnerability in LISTSERV versions 1.8d through 14.3 as the
> forwarded message below indicates? If so, is there indeed a level set
> release newer than 14.3 that fixes the problem? The LISTSERV download web
> site still indicates that 14.3 is the latest version. Thanks.
The latest download should include a fixed wa executable.
Alan Thew
>
> Alex
>
>
> -------- Original Message --------
> Subject: High Risk Vulnerability in L-Soft's LISTSERV Server
> Date: Wed, 25 May 2005 20:31:29 +0100
> From: NGSSoftware Insight Security Research <[log in to unmask]>
> To: [log in to unmask], [log in to unmask],
> [log in to unmask]
>
> Peter Winter-Smith of NGSSoftware has discovered a number of vulnerabilities
> in L-Soft's LISTSERV list management system. The worst of these carries a
> high risk rating.
>
> Affected versions include:
>
> - LISTSERV version 14.3, including LISTSERV Lite and HPO
> - LISTSERV version 1.8e, including LISTSERV Lite and HPO
> - LISTSERV version 1.8d, including LISTSERV Lite and HPO
>
> Running under Windows and Unix, and OpenVMS AXP.
>
> Several of the flaws in question allow remote arbitrary code execution,
> others allow remote denial of service.
>
> This issue has been resolved in the latest release of L-Soft LISTSERV
> (version 14.3 level set 2005a and above), which may be downloaded from:
>
> http://www.lsoft.com/download/listserv.asp
> http://www.lsoft.com/download/listservlite.asp
>
> I (Peter Winter-Smith) would like to extend a special thanks to the support
> and development teams at L-Soft who were able to address these issues, from
> reporting to published fix, in well under a week.
>
> NGSSoftware are going to withhold details of this flaw for three months. Full
> details will be published on the 25th August 2005. This three month window
> will allow users of L-Soft's LISTSERV the time needed to apply the patch
> before the details are released to the general public. This reflects
> NGSSoftware's approach to responsible disclosure.
>
> NGSSoftware Insight Security Research
> http://www.ngssoftware.com
> http://www.databasesecurity.com/
> http://www.nextgenss.com/
> +44(0)208 401 0070
>
|
|
|